[kwlug-disc] Trace spam email back to source

Yas Adem yadem.ethio at gmail.com
Tue Jun 30 11:33:51 EDT 2020 

Thanks sharing Khalid. Here is the header i got from "show original"

Received: by 2002:a05:6a10:b747:0:0:0:0 with SMTP id w7csp1499769pxx;
        Tue, 30 Jun 2020 06:57:41 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy00zExoLc6pgLQh0NFZBOjRfTjga2PhYJwd3KW6ag1+D4ry/
995bIoNSH/+vurPnJ/lIkf
X-Received: by 2002:ac8:1972:: with SMTP id g47mr20878321qtk.180.
1593525461513;
        Tue, 30 Jun 2020 06:57:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1593525461; cv=none;
        d=google.com; s=arc-20160816;
        b=z42x1Xw8F1ZUPKsgUo8QMS3Q47VE1vMht8MROiPKwbe2tiVPZiVhAzx+cxLaQCf2Q3
         rHwo+ufhbBiAevGXvyTXW769HYjmO2F1Mi0i6b6JKPNQ/
cZudq41sUuBBqGhTopPNOhu
         0qn5pNGyt7dTJGWg4rmaa/QO2c2GgLRyGxlZqQ/
6ayMEmqiWvywao45Hd2fVHdKTLcPu
         u3C1j4OVhLgnWTIAB6E/C2iLoZj3jOn9Wd+U7CnwVRZNRuHWbh9jA1nkjjTVavwgV
/wc
         /oTB6kf1/gP5u4IhfheoJgfqhZY3w9W/MxNrSFe0f7QDobxEGdmNqri1ThGS2Q
c6I00E
         dKUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
        h=references:mime-version:subject:message-id:reply-to:from:date
         :dkim-signature;
        bh=e3xLxgN9af6bSHmyc2a9PYsP/Sj5aMLOuc6q5eu5q24=;
        b=smgVI8TfLyqUxPQUKo2gzeWsG/zvhiv3RdX3PPEGiWDPe0U6tHbEvkWBOJLjX/vTuf
         AVeZxui/I7xk9MbE6zHlWeHOouRfpjqpBkslb6
RMkRlcicrEhs8kdJCyTiPXTix0/gdx
         nCE/WZ/8LgW9IKwfajFJMfTtLIdg/rm6ZRtQn17mUD+clVPB+
vNTuKVUpsohXuiGrfJq
         WZxtpe5Arjo2QKAqm9u3yBI0URWloY2eduKntFNXLSXUmY7J5ewiUYmwWOMX
y5OM05yI
         jf65tUo4Zfi2MAmzFs5KB31MuGE2A7fUnhgMAOmEzTbmwcL2iB+
5K7G6grbrrRktStHU
         JwWQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@rogers.com header.s=s2048 header.b="mJz9+t/W";
       spf=neutral (google.com: 74.6.132.219 is neither permitted nor
denied by best guess record for domain of escape01 at rogers.com)
smtp.mailfrom=escape01 at rogers.com
Return-Path: <escape01 at rogers.com>
Received: from sonic314-45.consmr.mail.bf2.yahoo.com (
sonic314-45.consmr.mail.bf2.yahoo.com. [74.6.132.219])
        by mx.google.com with ESMTPS id e7si1946230qtk.287.2020.06.30.
06.57.41
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 30 Jun 2020 06:57:41 -0700 (PDT)
Received-SPF: neutral (google.com: 74.6.132.219 is neither permitted nor
denied by best guess record for domain of escape01 at rogers.com)
client-ip=74.6.132.219;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@rogers.com header.s=s2048 header.b="mJz9+t/W";
       spf=neutral (google.com: 74.6.132.219 is neither permitted nor
denied by best guess record for domain of escape01 at rogers.com)
smtp.mailfrom=escape01 at rogers.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rogers.com;
s=s2048; t=1593525460; bh=e3xLxgN9af6bSHmyc2a9PYsP/Sj5aMLOuc6q5eu5q24=;
h=Date:From:Reply-To:Subject:References:From:Subject; b=mJz9+t/
W0ql7bDOQF67ghmNqFwq2tBySUr5QssHRRj5DABDhjTzjxHLbk4HU3ZuX821hUkunRSmGrIl+
5bBvGBoCtRicOsPHDZNVQeSDbVT3+WMWIplVIX/eSFLpAQOF4Ji13gYDAGmwrs4U+/
idj0DTkl05zalB3ann5h3nTCRuqbQsu4g4dlx+Lw0u1ZSjI304aCWMt+
Qes24uLTPfvKgBTQxuaR/7W85kJmgUKep0HhWZfliPE0XK/
mF99dE9IOvBxyvIVL0e83uRZRuVXVsbd89uHfFXyEcgRq46RDe2adr+
eh3IXT96qVsBUFstzSACa6MMiMQPED4ok0NTgg==
X-YMail-OSG: ZzSVHj8VM1nTgROsj.fZZpFwtfVQTkW1KKa2xi0NRjb.6_zCnf4CIcjaMvD8zZR
hJepbVrj34qC8FoW7.AQFAGCpax.pN.Y84XT60DGLdnYDyAe8.Q5_jh0ev7DX9ZV.1bM5p9dXDQj
vS5SDNfm50VduUkK_5w2AcSJY8KtOZxpr52emcSPxDGkfrhCRU_OO91N5RdI.gi2TlYeZiCNGhkE
zxRZJcNwbh2HFfbXBvG0YeIf7xcKw4IYp9AixPRJ_W4bEAyApTJQTC1OEQFQq.ikxH71eP5Ylk66
YHkmNHbQW4B8EXfZDY8ccVz90WAfj3uts66vvmS0JZl_AQj3hYRMkhvJDvLCI4kdBKRAk66QBBYk
dxi.vlebWJKEV87BzIDI5PlU9VDFLgI4ydOjz7U4d2QFmoLBEewKO.QcuUZlMQue4q.CiEXMIlT2
74vr4UyRU2s956Eqx9H3crS_0UzXDCgebfGpW13dSuwET0ljt.rCbH9XhbCVHMI3Mp5MGoJomp1r
US60xGtWJbgDQsOCUZCPopAr.9nDoF.WlMfL_vdnfGczXbMQuOFUTbPVdJNgxqW9XZmDQwN4T2gJ
3iaadjJSIJaML6b5.igUOO3.0oT.nMYPDk2BNrKa1j72W3_QrQSG_3Xu65muFrnNWM0sIivnvJTO
EDxXbum_dTBMKTwB0sP36XCkRDGzrm8fFNmczqzZ7ZUmIrCCwpGIkhKDpCK9r3dJ8i726g6iEx_0
tNUVdyXMKHo_aLHpnzf.yzxT2yS4DAyx1va2whYJeWzVE9.vwEiziQhV6vVO1zF.5UA4x6bbU_Ed
boqOwiAwzNbZ5x9d_.tA1d8fdbhbP5oeiufKHP75yNg5SCTLsiFEuqzBY6lU_hnQ9uZYIyAk4Nh7
w_nKlbmxG4YF3nB4W9tF85x9b70.fr.NHe24S6GyDucJCq2MYlKrLyZiG7lXO8IrIs0YPd8uGbp7
EQQivjxU8H4puC4enWMz26vf7TXbTTXkg4hj1KhTv2D6oXkT9T6kGR3husYX_fKKP_054.VpBnO9
dNT796KBi_KrCWuf1gzEsNEyNl8J.RsHNp8Kikl_jK1rrxVT__PkZKmhZKmhvMiWFcJyd3Qqolfi
g1NXtokXsc.Ysn8QbPH0rrOv.CTdwgTwozRLsbhM16jLjgax7A7OgxcV7E4Djkl53rBknwRruA96
l9OhBQvlJreaNuVA.4Gsx_hRe6SGYa31ayBdFKwOxWKF8San4yALXajvWnAl9ZSqHXLIh.1WiApp
DvCt4yLn7GQJ3.b7J1UfWDHQr3X0XYIdksEDZmESLmXMR9NnEM8OKenoiccIhvp4OVAVDTEtRW5Y
YQrZTFg_8EKwq7JtCSE7o0XGhbGsBDB_8JMTzJpXDFNxK8X9PUISOt8cIThJjoVHXNiHftFS1yI0
CxL7e_xY-
Received: from sonic.gate.mail.ne1.yahoo.com by
sonic314.consmr.mail.bf2.yahoo.com with HTTP; Tue, 30 Jun 2020 13:57:40
+0000
Date: Tue, 30 Jun 2020 13:55:40 +0000 (UTC)
From: MARK GOWING <escape01 at rogers.com>
Reply-To: MARK GOWING <escape01764 at gmail.com>
Message-ID: <776184292.179935.1593525340251 at mail.yahoo.com>
Subject: Request..
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_179934_
2079552658.1593525340250"
References: <776184292.179935.1593525340251.ref at mail.yahoo.com>
X-Mailer: WebService/1.1.16197 YMailNorrin Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116
Safari/537.36
Content-Length: 1701

------=_Part_179934_2079552658.1593525340250
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello,
How are you doing? I hope you're good.. I need your assistance please kindl=
y get back to me.=C2=A0Thank you.Mark

Regards
Yasin



On Tue, Jun 30, 2020, 11:19 AM Khalid Baheyeldin, <kb at 2bits.com> wrote:

> Yes, it is sad ...
>
> A while back, I started putting examples of scam emails on my web site, as
> a warning.
>
>
> https://baheyeldin.com/technology/technology-in-society/internet-scams-and-fraud.html
>
> The sadder thing is that people mistake my site for other people, from
> Cairo hotels, the Library of Alexandria, all the way to the Sultan of Brunei
>
>
> https://baheyeldin.com/technology-in-society/mistaken-identity-how-some-people-confuse-my-site-for-others.html
>
> I got many emails about people who have actually paid scammers for lottery
> winnings or other scams, and asking what to do next. Convincing them that
> they have been a victim of a scam is painful. Many of them are from poor
> countries and have borrowed to pay insurance/bank/taxes/courier fees in the
> hope of getting more money ...
>
> With social media, and friends posting things without basic fact checking,
> it has become even worse, and more of a futile effort ... not outright
> money scams, but scams in other aspects of life ...
>
> On Tue, Jun 30, 2020 at 11:10 AM Yas Adem <yadem.ethio at gmail.com> wrote:
>
>> Thanks guys. I won't spent much time on it... i was just curious.. lots
>> of old people get scams on this and really sad.
>>
>> Regards
>>
>> Yasin
>>
>> On Tue, Jun 30, 2020, 11:00 AM Khalid Baheyeldin, <kb at 2bits.com> wrote:
>>
>>> The From address can be forged, so it is not necessarily that his email
>>> is hacked.
>>>
>>> If you look into the email headers, which in Gmail are under 'Show
>>> Original', they may give a clue as to what server it came from.
>>>
>>> But don't spend too much time on it, since it can be anything.
>>>
>>> On Tue, Jun 30, 2020 at 10:51 AM Yas Adem <yadem.ethio at gmail.com> wrote:
>>>
>>>> Hey Guys,
>>>>
>>>> i just received an email from friend i know and interestingly reply-to
>>>> is different email address. This email is basically asking to purchase
>>>> Google Play pay gift cards for him as he is in hospital helping relative,
>>>> in short i believe his email has been hacked.  I am not expert on this
>>>> butis there a way to trace back to thier source ip.. etc..
>>>>
>>>>
>>>> Regards
>>>> Yasin
>>>>
>>>>
>>>> _______________________________________________
>>>> kwlug-disc mailing list
>>>> kwlug-disc at kwlug.org
>>>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>>
>>>
>>>
>>> --
>>> Khalid M. Baheyeldin
>>> 2bits.com, Inc.
>>> Fast Reliable Drupal
>>> Drupal performance optimization, hosting and consulting.
>>> "Sooner or later, this combustible mixture of ignorance and power is
>>> going to blow up in our faces." -- Dr. Carl Sagan
>>> _______________________________________________
>>> kwlug-disc mailing list
>>> kwlug-disc at kwlug.org
>>> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>
>
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> Fast Reliable Drupal
> Drupal performance optimization, hosting and consulting.
> "Sooner or later, this combustible mixture of ignorance and power is going
> to blow up in our faces." -- Dr. Carl Sagan
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200630/21c8cbfa/attachment.htm>

More information about the kwlug-disc mailing list